RBI/2008-2009/387
RBI / DPSS No. 1501 / 02.14.003 / 2008-2009

February 18, 2009

The Chairman and Managing Director / Chief Executive Officers
All Scheduled Commercial Banks including RRBs /
Urban Co-operative Banks / State Co-operative Banks /.
District Central Co-operative Banks

Madam / Dear Sir

Credit/Debit Card transactions-
Security Issues and Risk mitigation measures

The use of Credit/Debit Cards has been increasing in the country. We have been reviewing various options to enhance the security of online card transactions. After extensive consultations with banks/card companies, it has been decided as under:

2. It would be mandatory to put in place with effect from August 01, 2009:

i) A system of providing for additional authentication/validation based on information not visible on the cards for all on-line card not present transactions except IVR transactions (for which separate instructions will follow).

ii) A system of "Online Alerts" to the cardholder for all 'card not present' transactions of the value of Rs. 5,000/ and above.

3. Banks are advised to strictly adhere to the instructions and time discipline indicated in this circular. Non-adherence to the directives shall attract penalties prescribed under the Payment and Settlement Systems Act 2007 (Act 51 of 2007).

4. This directive is issued under section 18 of Payment and Settlement Systems Act 2007, (Act 51 of 2007).

5. Please acknowledge receipt.

Yours faithfully

(G. Padmanabhan)
Chief General Manager